RedTiger infostealer targeting gamers and Discord accounts

A new infostealer first released in 2024 called RedTiger was observed in the wild targeting gamers and Discord accounts, but that may not last for too long.

Because it focuses on exfiltration, persistent access, and account compromise, security pros say it can potentially spread across enterprises and vertical sectors.

In an Oct. 23 Netskope blog post, Netskope researchers said RedTiger operates as an open-source Python red teaming tool that bundles network scanning, open source intelligence, and phishing toolkits, an infostealer, and Discord-related tools.

“As is often the case with red team tools, attackers usually adopt them and use them for malicious purposes,” wrote the researchers.

Ray Canzanese, director of Netskope Threat Labs, explained how RedTiger’s comprehensive features can be adapted by other threat groups, saying the infostealer's capabilities include the following:

Data exfiltration and sensitive information loss

RedTiger targets a wide array of sensitive data, including browser-stored passwords, cookies, payment information, and sensitive files. In an enterprise context, this could extend to corporate credentials, intellectual property, regulated data, and source code. The exfiltration mechanism, which involves uploading archived data to cloud storage (GoFile) and sending download links via Discord webhooks, presents a challenge for traditional perimeter defenses.

Persistent access and account compromise

The infostealer's ability to maintain persistent access to Discord accounts, even after password changes, highlights a critical risk. This mechanism could get adapted to other enterprise communication platforms or cloud services (Slack, Microsoft Teams), which could let attackers  sustain access to compromised corporate accounts and leverage them for further malicious activities, such as business email compromises (BECs) or internal phishing campaigns.

Initial access for advanced threats

Infostealers serve as a primary initial access vector for larger breaches, including ransomware, espionage, or BECs. RedTiger's capabilities could offer attackers the initial foothold they need to deploy more sophisticated malware or conduct targeted attacks within an enterprise network.

Integration with broader attack frameworks

Attackers could integrate RedTiger's capabilities into larger attack frameworks, offering a more robust initial access and data exfiltration component for more comprehensive campaigns. This aligns with the trend of threat actors leveraging readily available tools to enhance their operations.